AI-source disclosure UI — visible AI labelling at the point of action

Supports: Verbatim legal mandate for interaction-level AI disclosure (the third labelling layer in this control). Applies to any AI system that interacts directly with natural persons, scoped to EU jurisdiction.

Does not prove: Does not specify the visual format of the disclosure, its persistence, or how friction should scale with action irreversibility. The exemption for "obvious" AI use is fact-specific and not self-executing.

Supports: Verbatim mandate for content-level machine-readable marking of AI-generated outputs — the technical foundation for the content-level labelling layer of this control.

Does not prove: Paragraph 2 addresses machine-readable marks (watermarks, C2PA manifest), not the human-visible UI badge. Human-visible labelling of deepfakes is covered separately in paragraph 4. Exceptions apply for assistive editing and non-substantial alterations.

Supports: Names "digital content transparency" as a governance policy requirement for GAI applications, providing an upstream policy anchor for content-level labelling practices.

Does not prove: GV-1.2-001 addresses data-origin documentation for governance purposes, not the user-visible label at the point of action. Helmwart operationalises this upstream policy requirement as a concrete UI control.

Supports: Explicitly references "understanding of labels on content" as a measurable outcome in an AI security and resilience context. The closest NIST 600-1 action to directly naming user-facing AI labelling.

Does not prove: MS-2.7-003 is a measurement action (survey users), not a mandate to display a label. It presupposes labels exist and asks organizations to measure whether users understand them. Does not specify label format or friction levels.

Supports: The "nutrition label" framing directly maps to the content-level labelling layer of this control. C2PA is the leading open standard for machine-readable AI-content provenance marks required by EU AI Act Art. 50(2).

Does not prove: C2PA addresses machine-readable provenance metadata — it is a technical substrate for labels, not a UI pattern prescription. Whether and how the C2PA manifest surfaces as a human-visible badge is an implementation decision above the standard.

Supports: MAP-5.2 establishes the practice of regular engagement with AI actors to integrate feedback about impacts — the feedback loop (user-confirmation latency, override rate) that this control uses to calibrate label friction over time.

Does not prove: MAP-5.2 as published covers stakeholder feedback integration, not user-facing AI source labelling per se. The MDX cites MAP-5.2 as a user-facing labelling reference; that is an overreach — MAP-5.2 supports the feedback-calibration rationale, not the disclosure mandate. No verbatim excerpt pulled for the labelling claim.

Supports: Names policy-level safety controls — including transparency constraints baked into system instructions — as a recognized mitigation class for generative AI systems. AI-source disclosure UI is one operationalisation of such a policy constraint.

Does not prove: AML.M0021 covers system-prompt and policy-level constraints broadly; it does not prescribe user-visible disclosure labels or action-level friction mechanisms specifically. No verbatim description text was retrievable from the ATLAS catalogue at time of cross-check.

Supports: Names synthetic-content detection as a mitigation for adversarial AI content — the defensive complement to this control. Where this control labels AI-generated content proactively, AML.M0034 addresses post-hoc detection when provenance has not been disclosed.

Does not prove: AML.M0034 is a detection-side control, not a UI disclosure control. It does not prescribe interaction-level or action-level labelling. No verbatim description text was retrievable from the ATLAS catalogue at time of cross-check.